The Forrester New Wave™: Cybersecurity Risk Ratings, Q4 2018

Earlier today, we published “The Forrester New Wave™: Cybersecurity Risk Ratings, Q4 2018” evaluation. We take a close look at the nine most important vendors in this rising market, reviewing their current capabilities, customer references, and strategic road maps. This includes vendor profiles, with our analysis and buyer recommendations to support security and risk leaders in their quest to find the right cyber-risk rating tool.

Vendors covered (alphabetically): BitSight, FICO, iTrust, NormShield, Panorays, Prevalent, RiskRecon, SecurityScorecard, and UpGuard.


Third-Party Risk From The Attacker’s View

Cyber-risk rating tools show their value right away. They will scan and score your third-party risk environment and identify glaring gaps of key partners as early as your initial meeting. Especially with intuitive dashboards, reports, and risk insight all immediately in hand, it’s easy to get excited and pounce on the first solution that comes your way. Before you commit, though, determine how you will use the cyber-risk rating tool within your existing third-party risk management (TPRM) activities, noting that:

  1. Consistency, transparency, and correlation are critical factors. Picking a tool that is accurate and reliable in its ratings couldn’t be more important given the gravity of the decisions you will make based on them (e.g., terminating a key supplier relationship). Vendors mostly recognize this and take painstaking measures to ensure that their risk models and scoring methodologies are as accurate and as strongly correlated to real risk exposure as possible. Still, cyber-risk rating vendors vary in their approach, each touting stronger statistical correlation than the next — which is why security and risk pros must scrutinize the scoring mechanics and demand detailed validation to back up vendor claims.
  2. Risk ratings supplement — not supplant — existing TPRM technology. Cyber-risk ratings and the outside-in perspective they generate come with many benefits: risk-prioritized vendor lists, assessment and questionnaire validation, and clear signals of control gaps and broader cybersecurity hygiene. Still, many organizations will need other TPRM or GRC platform capabilities to measure and manage third-party risk in the context of the rest of their business and IT risk environments.
  3. They’re multipurpose. Security and risk pros find many uses of cyber-risk ratings: to monitor and score their own external cyber-risk exposure, to cite as security performance metrics in executive and board meetings, to conduct due diligence and M&A reviews, and, even in some cases, to tout in customer and prospect meetings.
  4. Cyberinsurance is a distinct and separate buyer segment. Cyberinsurers increasingly turn to cyber-risk rating and analytics tools to improve their policy and coverage decisions regarding cyberinsurance. While it’s a valid (and likely lucrative) use case for vendors to support, it was not a focus for this evaluation. Security and risk pros have more and different needs that extend beyond core risk measurement. For example, they benefit more from functionality for third-party coordination and action-plan tracking, as well as integration into GRC platforms and other security tools.
  5. If intelligence is more important to you than a true rating, there are more options. Threat intelligence and digital risk protection (DRP) solutions support third-party risk use cases, as well. They use similar collection and analytics techniques that will monitor your third parties and alert you to new risk events and related threats. But they fall short of offering a complete cyber-risk rating solution, lacking consistent rating methodologies, without the necessary risk modeling rigor needed to maintain a consistent and correlated cyber-risk score.

Cyber-Risk Ratings: Vendor Profiles And Wave Positions

Check out the full report, “The Forrester New Wave™: Cybersecurity Risk Rating Solutions, Q4 2018,” to see where vendors stand out and which ones you need to add to your watchlist.

As always, I’d love to hear your reactions! Connect with me on Twitter: @nickhayes10.